Many services require users to authenticate their identities prior to accessing personal information or conducting private transactions with the service. For example, a website may require users to create accounts, and the user must login to the account prior to accessing the website. The most common method used to authenticate a user to a service is a shared secret, or password, between the user and the service. The login procedure typically involves entering a username and password combination, such that the username indicates some account type with various permissions, and the password authenticates the identity of the account user.
OpenID is an exemplary authentication standard which allows users to log on to many services using a single digital identity. Since neither the OpenID protocol nor services utilizing OpenID may mandate a specific type of authentication, non-standard forms of authentication may be employed. For example, OpenID can authenticate a user with a physical token, or with biological based authentication methods, such as a fingerprint or retinal eye scan. However, these alternative methods require hardware that is not readily available for all users, so most services utilize password authentication. Unfortunately, password authentication may be insecure due to weak passwords that are easily guessed, replay attacks, and hackers.
Overview
An identification system comprises a communication interface. The communication interface is configured to receive from a mobile device a registration request to initiate an access session between the mobile device and a communication network, wherein the registration request comprises a device identifier that identifies the mobile device. In response to the registration request, the communication interface is configured to transfer a packet address to the mobile device, wherein the mobile device transfers a service request for a service on the communication network during the access session, wherein the service request includes the packet address. The communication interface is configured to receive an identification request transferred from an authentication system in response to the service request, wherein the identification request indicates the packet address. In response to the identification request, the communication interface is configured to transfer the device identifier for delivery to the authentication system to authenticate the mobile device for the service using the device identifier.
A method of operating an identification system comprises receiving from a mobile device a registration request to initiate an access session between the mobile device and a communication network, wherein the registration request comprises a device identifier that identifies the mobile device, in response to the registration request, transferring a packet address to the mobile device, wherein the mobile device transfers a service request for a service on the communication network during the access session, wherein the service request includes the packet address, receiving an identification request transferred from an authentication system in response to the service request, wherein the identification request indicates the packet address, and in response to the identification request, transferring the device identifier for delivery to the authentication system to authenticate the mobile device for the service using the device identifier.
A method of operating a communication system comprises, in a mobile device, transferring a registration request to an identification system to initiate an access session between the mobile device and a communication network, wherein the registration request comprises a device identifier that identifies the mobile device. In the identification system, in response to the registration request, transferring a packet address to the mobile device. In the mobile device, transferring a service request for a service on the communication network during the access session, wherein the service request includes the packet address. In the service, in response to the service request, transferring an authentication request for the service to the mobile device. In the mobile device, upon receiving the authentication request, transferring the service request to an authentication system, wherein the service request includes the packet address. In the authentication system, receiving the service request transferred from the mobile device, and, in response to the service request, transferring an identification request to the identification system, wherein the identification request indicates the packet address. In the identification system, receiving the identification request transferred from the authentication system, determining the device identifier associated with the packet address indicated in the identification request, and transferring the device identifier to the authentication system. In the authentication system, determining a user identifier associated with the service based on the device identifier, encrypting an authentication assertion comprising the user identifier, and transferring the authentication assertion to the mobile device. In the mobile device, receiving the authentication assertion transferred from the authentication system, and transferring the authentication assertion to the service. In the service, decrypting the authentication assertion to recover the user identifier, and verifying the user identifier to authenticate a user of the mobile device requesting the service.